Remove users refresh tokens when the user get's deactivated

[edenhaus]

Breaking change

Proposed change

Remove users refresh tokens when the user get's deactivated

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• I understand the code I am submitting and can explain how it works.
• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.
• Any generated code has been carefully reviewed for correctness and compliance with project standards.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[Copilot]

Pull request overview

This PR addresses a security issue by ensuring that when a user is deactivated, all their refresh tokens are immediately removed, preventing them from maintaining active sessions. This is a bugfix that enhances security by ensuring deactivated users lose access immediately.

Key changes:

• Added automatic refresh token cleanup when users are deactivated
• Added comprehensive test coverage for the new behavior

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
homeassistant/auth/__init__.py	Adds logic to iterate through and remove all refresh tokens when a user is deactivated
tests/auth/test_init.py	Adds test case verifying that deactivating a user removes all their refresh tokens

---

After reviewing the code changes, I found no issues to report. The implementation is well-done and follows Home Assistant best practices:

✅ Correct iteration pattern: Uses list(user.refresh_tokens.values()) to create a snapshot before iteration, preventing modification-during-iteration errors

✅ Proper method usage: Calling the @callback decorated async_remove_refresh_token method from an async function is acceptable in Home Assistant

✅ Comprehensive testing: The test validates all expected behavior including user deactivation, token removal from both user object and manager, and handling of multiple tokens

✅ Security improvement: This change enhances security by ensuring deactivated users immediately lose all active sessions

✅ Consistent patterns: The implementation follows existing patterns in the auth manager (similar to how async_remove_user handles credentials removal)

The code is ready for merge.